China Security Memo: Illuminating Beijing’s Cyber-War Strategy

China's Take on Cyber-War

China Youth Daily published an essay June 3 written by two staff members at the People's Liberation Army's (PLA's) Academy of Military Science that illuminates China's take on cyber-war. "How to Fight Network War?" by Col. Ye Zheng and his associate Zhao Baoxian analyzes the opportunities and challenges offered by network warfare, including offensive, defensive and espionage efforts against adversary computer networks. While these challenges are nothing new to network security, the essay does provide some interesting insight into the PLA's thinking about fighting and spying via the Internet.

The authors outline five military uses for the Internet, which, as a true double-edged sword, offers both threats and opportunities. The first use is intelligence collection. The authors note that much of this intelligence is public, open-source information spread across the Internet that can be collated into something more valuable than the sum of its parts. And through creative manipulation of the Internet, including hacking, even more valuable intelligence can be gleaned. The second military purpose is network paralysis -- using botnets and viruses to disable websites, communications systems and even physical targets in the Stuxnet attacks. The third military use is network defense against the second type, and this requires a holistic system of active defenses to identify attacks and prevent sensitive information from being exposed.

The fourth operational purpose of the Internet, according to Ye and Zhao, is "psychological warfare." They noted that American publications have called the Internet the main battleground for public opinion and that the online organizing of opposition groups in Egypt and other parts of North Africa and the Middle East this spring is a good example of this form of cyber-warfare. The fifth military purpose is using Internet technology to achieve effects on the battlefield, though being able to achieve predictable effects on a time frame necessary for planning and conducting an integrated military campaign continues to be a technical challenge.

The June 3 essay in China Youth Daily is notably similar to pieces written by U.S. military scholars and Defense Department officials with a unique focus on psychological warfare. China's military has long seen psychological warfare as a force multiplier against foreign powers with greater conventional military capabilities, and in the current global environment, Chinese officials are very concerned about China being a victim. In a separate response to recent news of new U.S. cyber-war strategy, the "architect" of the Great Firewall, Fang Binxing, who is regularly involved in designing networks to block outside information, said the United States interferes in the domestic affairs of other countries through the Internet. His statement reflects the Chinese concern over foreign-based actors such as those behind the Jasmine movement and advocacy groups for internal Chinese dissidents like the Southern Mongolian Human Rights Information Center. Some of these groups incite protests while others simply spread information, particularly through social media. Beijing sees such information spread this way as an inherent threat to Chinese interests.

While the potential of cyber-espionage and physical attacks through Internet technologies is a serious concern in China and elsewhere, Beijing seems more worried about the Internet's being used by other countries to break through its Internet controls for psychological warfare purposes -- in other words, to inflame public opinion and create social unrest, which is the government's top concern. But it is also, at least rhetorically, concerned about recent U.S. statements that a cyber-attack could be responded to by a conventional one. Li Shuisheng, a research fellow at the Academy of Military Science, said such U.S. statements were a warning geared to maintain U.S. military superiority. The concern is that the United States could decide to hold a government responsible for any attack within its borders, whether the act of aggression is conducted through the Internet or by using more traditional military means.

The Attribution Problem

On June 1, Google publicly blamed individuals in Jinan, Shandong province, for a coordinated series of "spear phishing" attacks on Gmail accounts that security experts had observed since February. These attacks did not involve the actual hacking of Google's computer infrastructure but instead were intelligence-gathering attempts specifically targeting the personal email accounts of U.S. and South Korean government employees, among others.

The attacks have yet to be traced back to Chinese state intelligence organizations or specific individuals in the country, even though the attacks fit squarely within the Chinese method of mosaic intelligence-gathering. A Chinese Foreign Ministry spokesman called Google's allegations "unacceptable." The issue highlights the intelligence threat that anyone, including the Chinese, can pose online and the challenges of identifying the source of the attack and devising an effective response.

A substantial amount of intelligence and careful coordination went into the most recent attacks against Google. According to the company, whoever coordinated the attacks identified personal rather than government or business email accounts and the targets were "senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists." Spear phishing involves specific emails designed to look real to the victims in order to get them to release passwords or other personal information. A wide range of intelligence must be gathered, including contact information on the individual targets and their associates and the various issues they work on and interests they pursue. This would not require a state intelligence agency, but it would require significant resources, particularly time and people.

The attackers sent emails that appeared to be from known personal contacts to the targeted individuals' Gmail accounts. The emails included links that would prompt the targets to sign in again into their accounts but on another website where their passwords would be stolen. With this information, the hackers could collect whatever came through the victims' personal accounts and quietly forward the emails to another account.

Google specifically pinpointed the attacks as originating in Jinan, a city in Shandong province already notorious as a hacking center. It is home to the Lanxiang Vocational School, the source of the January 2009 hacking attack on Google's servers as well as other intelligence-gathering attacks. But a report by Mila Parkour in the blog Contagio Malware Dump, which publicizes new malicious software (malware), noted that servers in New York, Hong Kong and Seoul were also used. Google has long been at odds with the Chinese government, which recently called the search engine the "new opium" in a People's Daily editorial. But Google may also have unreleased information leading it to Jinan, which is a common origin of these types of attacks.

Whether or not the perpetrators belonged to an official entity, the attack did fit the Chinese espionage pattern known as mosaic intelligence-gathering. China has long been developing cyber-espionage capabilities that target businesses as well as foreign governments. The personal accounts themselves may actually reveal very little information about government work, but they could provide leads for collecting other intelligence or detect weak points in a network's operational security. If China -- specifically the Third Department of the PLA or the Seventh Bureau of the Military Intelligence Department, which are most responsible for the country's cyber-espionage -- is responsible for the Google attack, the small bits of intelligence it collected will all be part of the mosaic it is building to better understand U.S. or South Korean policies and plans or to find and disrupt political dissidents.

While the forensic effort required to investigate these attacks is daunting (as are the political ramifications), Google provides some cogent advice for protecting personal email accounts: Gmail users should be aware that phishing probes are not always as simple as the Nigerian princess asking for your bank account information; they often involve someone impersonating a known contact to acquire your email address, password and other proprietary information. To guard against this, email users should employ passwords that would be difficult for a stranger to figure out, change the passwords regularly and watch for suspicious activity on the account.

This is especially important because while U.S. officials may be a major target, foreign intelligence agencies and cyber criminals are consistently targeting business people in economic espionage.

(click here to view interactive map)

June 1

• The deputy general manager of the data service division of China Mobile Ltd., Ma Li, was detained by Beijing police in connection with a corruption investigation into the telecommunications industry, Chinese media reported. A source within the investigation said Ma's case involved nearly 110 million yuan (about $17 million) in bribes paid to him. Another 60 people, including government employees, are now targeted by the investigation. China Mobile has denied that a large-scale investigation into their company or the telecommunications industry is ongoing, stating only that a few people are targets of the probe.
• A man suspected of participating in a robbery was shot and injured by Harbin Public Security Bureau officers. Police were called to the scene after reports of a robbery and riot near hotels in the Shiji Huayuan district of Harbin, Heilongjiang province. One police officer was injured by the suspect.
• A furnace explosion in the aluminum alloy production area of a factory owned by Xinjiang Yuansheng Technology Development Co. in Urumqi, Xinjiang province, killed four people and injured 16, three seriously, with another two missing, Chinese media reported. An investigation is ongoing but initial reports indicate the explosion was an accident.
• Shanghai police arrested a man suspected of seriously injuring two traffic officers while drunk driving. The suspect was stopped by the two officers and found to have a blood alcohol limit above the legal limit. When the man returned to his car reportedly to get his license and a drink of water, he drove off, hitting the officers and escaping. The suspect admitted the crime to police after being caught. The authorities had turned to the Internet for help from "netizens" in order to catch the man, using a microblog to publish information about the suspect.

June 2

• Chinese authorities closed the Incidental Art Festival in Beijing after what they considered an act of subversion by curators. The show's organizers had left a wall blank with the name Ai Weiwei written where the artist's name is typically listed. A gallery employee stated that three of the event organizers had disappeared, but this has not been confirmed.

June 3

• Security restrictions remain in place in Xilinhot, Inner Mongolia, after protests relating to the May 10 incident in which a Mongolian herder was struck and killed by an ethnic Han truck driver. There are conflicting reports on whether the situation has normalized. According to one tourist agency, only people with Chinese mainland identification cards are allowed into Xiwu Banner, where the incident occurred, because the situation is still tense. The U.S.-based Southern Mongolian Human Rights Information Center reported almost 100 arrests of ethnic Mongolian students, herders and residents in connection to the unrest.

June 5

• Linchuan district Communist Party of China Committee Secretary Fu Qing and district head Xi Dongsen were fired after an incident in which a man set off explosives at government buildings May 26 in Fuzhou, Jiangxi province, over a dispute related to resettlement compensation. The man suspected of detonating the explosives had accused Xi of stealing money originally meant for households evicted to make way for a highway construction project.

June 6

• Harbin Pharmaceutical Group, the largest maker of antibiotics in China, was reported to be dumping poisonous waste into a populated neighborhood for many decades in Harbin, Heilongjiang province, China Central Television reported. The levels of hydrogen sulphide released by the factory were more than 1,000 times the legal limit. The neighborhood is residential but also includes universities and hospitals. According to the report, authorities have not taken action on the case.
• A preacher, two deacons and a pastor resigned from a large and influential "unofficial" church in Beijing after disagreement within the church leadership over whether the church should hold Sunday services outdoors after authorities closed their usual place of worship in Beijing. The church has had hundreds of members detained since April.